RHSA-2011:1780 - Security Advisory

Synopsis

Type/Severity

Security Advisory: Moderate

Topic

Updated tomcat6 packages that fix several security issues and one bug arenow available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

Description

Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 andCVE-2011-2526 descriptions does not refer to APR provided by the aprpackages. It refers to the implementation of APR provided by the TomcatNative library, which provides support for using APR with Tomcat. Thislibrary is not shipped with Red Hat Enterprise Linux 6. This updateincludes fixes for users who have elected to use APR with Tomcat by takingthe Tomcat Native library from a different product. Such a configuration isnot supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGESTauthentication. These flaws weakened the Tomcat HTTP DIGEST authenticationimplementation, subjecting it to some of the weaknesses of HTTP BASICauthentication, for example, allowing remote attackers to perform sessionreplay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServProtocol) connectors processed certain POST requests. An attacker couldsend a specially-crafted request that would cause the connector to treatthe message body as a new request. This allows arbitrary AJP messages to beinjected, possibly allowing an attacker to bypass a web application'sauthentication checks and gain access to information they would otherwisebe unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)connector is used by default when the APR libraries are not present. The JKconnector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exceptionoccurred when creating a new user with a JMX client, that user's passwordwas logged to Tomcat log files. Note: By default, only administrators haveaccess to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes whenusing the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious webapplication running on a Tomcat instance could use this flaw to bypasssecurity manager restrictions and gain access to files it would otherwisebe unable to access, or possibly terminate the Java Virtual Machine (JVM).The HTTP blocking IO (BIO) connector, which is not vulnerable to thisissue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting theCVE-2011-2526 issue.

This update also fixes the following bug:

Previously, in certain cases, if "LANG=fr_FR" or "LANG=fr_FR.UTF-8" wasset as an environment variable or in "/etc/sysconfig/tomcat6" on 64-bitPowerPC systems, Tomcat may have failed to start correctly. With thisupdate, Tomcat works as expected when LANG is set to "fr_FR" or"fr_FR.UTF-8". (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which containbackported patches to correct these issues. Tomcat must be restarted forthis update to take effect.

Solution

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.

This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/kb/docs/DOC-11259